The good folks over at Google have discovered a vulnerability that allows the plaintext of an SSLv3 session to be calculated. The CVE number for this vulnerability is CVE-2014-3566. This has sent the security industry into a frenzy (again).
How does this vulnerability affect deZillium and its customers? It DOESN'T!
How is that possible? Industry leaders in the security industry are pulling their hair out trying to get companies to patch, yet you say that deZillium is not affected?!?! deZillium is not one of the usual run-of-the-mill hosting companies. It's in our core ethics that we'd rather lose a client than compromise our security. That's why for the past year we did NOT allow ANY of the SSL protocols (after warning world+dog that the SSL protocols HAVE been broken for quite sometime, and nobody paying any attention to us), and only explicitly allowed TLS protocols with perfect forward secrecy algorithms (if supported by the client, otherwise normal TLS algorithms with (at a minimum) HIGH grade encryption). In plain English: Only the absolute best encryption algorithms that are available today.
But, but, isn't TLS based on SSL? NO! TLS is a completely different protocol, that can shift to SSL if you allow it for backwards compatibility (and we don't).
That's all good and dandy, but how about FTP/email? That too. We do NOT compromise our security under ANY circumstances. If your system does not support our encryption methods, it's time to get rid of that copy of XP and move on. Just in case we missed something, we are currently performing a full audit of our systems.
All of our encrypted websites (and the ones we host too!) have consistently scored an A+ on the SSLLabs website. That puts us in the top 1.2% (yes, top one point two percent) of all the SSL/TLS websites tested globally. Just to put the score in context, we tested two of the largest banks in Cyprus against the SSLLabs website. One of them got an F and the other one got a B. Both of them were vulnerable to Man-in-the-Middle attacks.
In summary, it's time to grab the popcorn and watch everyone out there scramble to do what we have done for quite a few months:
COMPLETELY DISABLE ALL OF THE SSL PROTOCOLS!
Google and Mozilla said that they will be phasing out SSLv3 in their browsers in coming versions. Nice to see the industry finally catching up.
Twitter has announced that they are dropping support for SSLv3:
"We have disabled SSLv3 protocol support in response to the vulnerability published today. You may need to update your browser to use Twitter" — Twitter Security (@twittersecurity) October 15, 2014
Cloudflare has also announced that they are dropping support for SSLv3:
"CloudFlare has disabled SSLv3 across our network by default for all customers. This will have an impact on some older browsers, resulting in an SSL connection error,"